W3C home > Mailing lists > Public > public-web-perf@w3.org > October 2010

Re: [Open Issue] Privacy concern with Navigation Timing

From: Sigbjørn Vik <sigbjorn@opera.com>
Date: Fri, 22 Oct 2010 09:29:33 +0200
To: public-web-perf@w3.org
Message-ID: <op.vkyu3jky41y844@id-c0735.oslo.opera.com>
On Thu, 21 Oct 2010 19:00:56 +0200, Zhiheng Wang <zhihengw@google.com>  

> On Thu, Oct 21, 2010 at 7:46 AM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
>> I see the following note:
>> "Note: The relaxed same orgin policy doesn't provide sufficient  
>> protection
>> against unauthorized visits accross documents. In shared hosting, an
>> untrusted third party is able to host an HTTP server at the same IP  
>> address
>> but on a different port."
>> I must have missed this discussion, this is similar to the mail just  
>> sent
>> about cookie domains (here called relaxed same origin). I am not quite  
>> sure
>> I understand what "unauthorized visits accross documents" means?
>     ah, right, I missed this in the discussion yesterday. cookie domain
> doesn't work in cases like shared hosting, e.g., I have my web site on
> my.hosting.com and
> yours on yours.hotsting.com. We probably don't want to share information
> between them.

Right, this is a potential problem. However, these domains already share  
cookies, and such domains are rarely used for sensitive data[1]. Timing  
information is not direct information either, only indirect, which at most  
indicates if a user is logged in or not.

My thought is that using a cookie domain will be of great benefit to  
developers, and that it has little real-life negative impact on websites.  
Do you foresee any practical problems doing this?

[1] Maybe with the exception of people putting their personal documents  
online to be available for themselves, but such use cases are unlikely to  
be tricked by spoofing.

Sigbjørn Vik
Quality Assurance
Opera Software
Received on Friday, 22 October 2010 07:30:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:04:29 UTC